[VIM] Missed PHP file include in recent Calendarix

[Steven M. Christey]

reference:

  BUGTRAQ:20050531 multiple vulnerability Calendarix Advanced
  URL:http://archives.neohapsis.com/archives/bugtraq/2005-05/0356.html


Multiple VDBs seem to have missed the following portion of the post:

        Include

        line 16
        admin/cal_admintop.php:include_once($calpath."cal_utils.php");

I downloaded the demo version of Calendarix, and there are only 2
previous PHP statements before this line - both include statements,
neither of which seems to define $calpath, which is defined in
cal_config.php.  cal_admintop.php itself is included a number of times
in other files.

Thus it appears to be a typical file include issue where an include
file depends on variables defined by previously included files, but is
directly callable assuming the relevant PHP configuration
etc. etc. etc.

Also, at least two of the SQL injection issues in the "catview"
parameter seem to lead to the same eventqry function as defined in
cal_utils.php.

cal_day.php line 112:

  $result = eventqry($vda,$vdm,$year,$uname,$order,true,$catview) ;

cal_week.php line 193:

	$result = eventqry($fdd,$fdm,$fdy,$uname,$order,true,$catview) ;

cal_cat.php lines 34 through 39 have their own vulnerable select
calls, though:

  if (($ALLOWVIEW[6]==1)&&($catview!=0)) 
	$query = "select cat_id,cat_name,cat_color,parent_id from ".$CAT_TB." where cat_id=$catview";

  if ($ALLOWVIEW[11]==1)
	$query = "select cat_id,cat_name,cat_color,parent_id from ".$CAT_TB." where cat_id=$catview or parent_id=$catview";


This was based solely on source code inspection of the demo version of
Calendarix Advanced.

I'll be sending an inquiry to the developer shortly.

- Steve